accessType field in set hardware breakpoint

Oct 15, 2013 at 3:13 AM
Edited Oct 15, 2013 at 3:13 AM
Hi guys,

I want to set breakpoint when application writes (accesses) to specific memory address so i searched and found that setBp function allow me to set hardware breakpoint. But i dont know what value of accessType is. I tried to set accessType = 2 (value of DEBUG_BREAK_WRITE ) but it does not work :(

Anyone can help me please?
Oct 15, 2013 at 12:45 PM
Immediately after the start of the process:
0:000> x calc!WinMain
00000000`ff07d31c calc!WinMain (<no parameter info>)
0:000> ba e 1 calc!WinMain
        ^ Unable to set breakpoint error
The system resets thread contexts after the process
breakpoint so hardware breakpoints cannot be set.
Go to the executable's entry point and set it then.
 'ba e 1 calc!WinMain'
0:000> !dh calc
   1B9B8 address of entry point
0:000> g calc+1B9B8 
00000000`ff07b9b8 4883ec28        sub     rsp,28h
0:000> ba e 1 calc!WinMain
0:000> g
Breakpoint 1 hit
00000000`ff07d31c 48895c2410      mov     qword ptr [rsp+10h],rbx ss:00000000`000ffea8=0000000000000000
Your case?
Oct 15, 2013 at 2:09 PM
Edited Oct 15, 2013 at 2:10 PM
well, my current solution is use dbgCommand() function and use windbg command 'ba w4' - just like EreTIk :D but this solution has very restricted problem in callback function, because callback is written in windbg script :( So it's so nice if i can set hardware breakpoint in python :D
Oct 16, 2013 at 1:05 PM
Edited Oct 16, 2013 at 1:05 PM
What is pykd version?
0.3.x - is unstable version and has no hardware support yet

I try this sample with pykd
>>>ntdll = module("ntdll")
>>>setBp( ntdll.NtCreateFile, 1, 4, lambda x: dprintln("hello!") )  # equivalent ba e1 ntdll!NtCreateFile
It works good enough.

1) If you run script by !py, you should known it works in separeted python machine and all object include breakpoint will be deleted on the script end.
If you want a "global" breakpoint, you should use !pycmd interpreter - it works in global python interpreter:
import my_file_with_breakpoint
2) Read once again EreTIk. Hardware breakpoint is set by writting values into debug registries ( DRx ). These regsiters are the part of the thread context. And these ontext may be cleared on process start.
Oct 21, 2013 at 3:00 AM
Edited Oct 21, 2013 at 3:00 AM
Thank you so much :D

And i have one more question, is there any command in pykd allow me to set unresolved breakpoint - like "bu" command in windbg script?
Oct 21, 2013 at 7:29 AM
I'm affraid there is no such capability. But you can make it yourself: you should use eventHandler class amd implement onModuleLoad handler.
class MyEventHandler ( pykd.eventHandler ):

    def onModuleLoad(self, moduleName):
        if moduleName = "my_module_name":
            m = module(moduleName)
            setBp( m.getOffset("myRoutine"))

myEventHandler= MyEventHandler() # this object must have enough lifetime